add documentation

cmd/wireproxy/main.go

@@ -11,8 +11,11 @@ import (
 	"suah.dev/protect"
 )
 
+// an argument to denote that this process was spawned by -d
 const daemonProcess = "daemon-process"
 
+// attempts to pledge and panic if it fails
+// this does nothing on non-OpenBSD systems
 func pledgeOrPanic(promises string) {
 	err := protect.Pledge(promises)
 	if err != nil {
@@ -21,6 +24,7 @@ func pledgeOrPanic(promises string) {
 }
 
 func main() {
+	// only allow standard stdio operation, file reading, networking, and exec
 	pledgeOrPanic("stdio rpath inet dns proc exec")
 
 	isDaemonProcess := len(os.Args) > 1 && os.Args[1] == daemonProcess
@@ -80,7 +84,7 @@ func main() {
 		return
 	}
 
-	// no file access is allowed from now on
+	// no file access is allowed from now on, only networking
 	pledgeOrPanic("stdio inet dns")
 
 	tnet, err := wireproxy.StartWireguard(conf.Device)